[PYG]算法分析入门第十一课
【破文标题】算法分析入门第十一课【破文作者】飘云
【破解平台】WinXp
【作者邮箱】[email protected]
【软件名称】电子档案之企业人事管理系统 V4.3
【软件大小】1436 KB
【下载地址】http://www.qusheng.com/bluefate/index.htm
【本站下载】ftp://PYG:[email protected]/piaoyun/manager.rar
【视频教程】http://luowei.mireene.com/bbs/viewthread.php?tid=1767&fpage=1
【软件说明】这是一套通用性很强的企事业单位人事管理系统,提供了完备的人事档案管理功能,
使得人员增加、调动、删除,人事报表打印等异常的快捷方便。软件同时提供多种辅助工具及系
统安全维护系统,用户还可以设定软件操作人员及操作权限。软件还自带的人事资源库让你了解
先进的人事管理理念,美观大方的界面也会使你尽情感受到工作的乐趣!新版本增加了数据导出,
数据分析等功能,数据导出可以让库内数据轻松导出到Word、Excel、Web网页等格式,数据分析
让你随时对库内数据了如指掌,分析数据自动生成网页报表,轻松可以在网络发布,软件提供数
据库异常用户解决方案,可以让你放心安全的使用.
【破解工具】PEiD 0.92中文版、W32Dasm10.0汉化版、OD二哥修改版
【保护方式】机器码+序列号
【破解目的】学习破解。熟练应用各种工具。
【破解声明】我乃小菜鸟一只,偶得一点心得,愿与大家分享:)
【破解步骤】先用PEiD 0.92侦测,发现为UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
手动脱壳并修复之后再侦测为Borland Delphi 6.0 - 7.0
接下来 OD载入脱壳后的程序--运行--字符插件--找到如下关键:
0059BA8Dmov ebp,esp
0059BA8Fpush 0
0059BA91push 0
0059BA93push ebx
0059BA94push esi
0059BA95mov esi,edx
0059BA97mov ebx,eax
0059BA99xor eax,eax
0059BA9Bpush ebp
0059BA9Cpush 1_.0059BB35
0059BAA1push dword ptr fs:
0059BAA4mov dword ptr fs:,esp
0059BAA7lea edx,dword ptr ss:
0059BAAAmov eax,dword ptr ds:
0059BAB0call 1_.0045536C
0059BAB5mov eax,dword ptr ss:
0059BAB8call 1_.0059B264 ★这里就是关键call了,F8进入★
0059BABDtest al,al
0059BABFje short 1_.0059BB03 ★跳了就挂!★
***************************************进入call 59b264**************************************
0059B269push ecx
0059B26Apush ecx
0059B26Bpush ecx
0059B26Cpush ecx
0059B26Dpush ecx
0059B26Epush ecx
0059B26Fpush ecx
0059B270push ecx
0059B271push ebx
0059B272push esi
0059B273push edi
0059B274mov dword ptr ss:,eax
0059B277mov eax,dword ptr ss: ; 假码
0059B27Acall 1_.00404E50
0059B27Fxor eax,eax
0059B281push ebp
0059B282push 1_.0059B3D8
0059B287push dword ptr fs:
0059B28Amov dword ptr fs:,esp
0059B28Dcall 1_.00402D1C
0059B292xor ebx,ebx
0059B294lea eax,dword ptr ss:
0059B297call 1_.0059B190 ;=============>>★算法call★
0059B29Clea eax,dword ptr ss:
0059B29Fmov edx,1_.0059B3F0 ; ASCII "~!@#$%^&*()_+|"
0059B2A4call 1_.00404C70
0059B2A9mov eax,dword ptr ss:; 这里得到一串字符和"~!@#$%^&*()_+|"连接的字符,
可断定call 00404C70是做连接只用的,那call 0059B190 即是算法call
0059B2AClea edx,dword ptr ss:
0059B2AFcall 1_.0059A338
0059B2B4lea eax,dword ptr ss:
0059B2B7mov ecx,1_.0059B3F0 ; ASCII "~!@#$%^&*()_+|"
0059B2BCmov edx,dword ptr ss: ; 假码
0059B2BFcall 1_.00404CB4
0059B2C4mov eax,dword ptr ss:; 假码和上面字符的连接
0059B2C7lea edx,dword ptr ss:
0059B2CAcall 1_.0059A338
0059B2CFmov eax,dword ptr ss:
0059B2D2call 1_.00404C68 ; 假码位数
0059B2D7cmp eax,0C ; 是否12位
0059B2DAje short 1_.0059B31F ; 通过分析,下面只是一系列的验证过程(可以不看),
真正的算法call就是上面出来可疑字符那个
0059B2DCpush 1_.0059B408
0059B2E1push dword ptr ss:
0059B2E4push 1_.0059B414 ; ASCII "dsfasfsadfasdfsafasfasdfasdfasd"
0059B2E9lea eax,dword ptr ss:
0059B2ECmov edx,3
0059B2F1call 1_.00404D28
0059B2F6mov eax,dword ptr ss:
0059B2F9lea edx,dword ptr ss:
0059B2FCcall 1_.0059A338
0059B301mov eax,2710
0059B306call 1_.00403354
0059B30Band eax,80000001
0059B310jns short 1_.0059B317
0059B312dec eax
0059B313or eax,FFFFFFFE
0059B316inc eax
0059B317test eax,eax
0059B319je 1_.0059B3BD
0059B31Flea eax,dword ptr ss:
0059B322push eax
0059B323mov ecx,3
0059B328mov edx,1
0059B32Dmov eax,dword ptr ss:
0059B330call 1_.00404EC0
0059B335mov eax,dword ptr ss:
0059B338mov edx,1_.0059B43C ; ASCII "MG4"
0059B33Dcall 1_.00404DAC ; 比较前3位是否位 MG4
0059B342je short 1_.0059B383
0059B344push 1_.0059B448
0059B349push dword ptr ss:
0059B34Cpush 1_.0059B454 ; ASCII "2341234123412341234123423142314123"
0059B351lea eax,dword ptr ss:
0059B354mov edx,3
.
.
.
.
0059B3BFpop edx
0059B3C0pop ecx
0059B3C1pop ecx
0059B3C2mov dword ptr fs:,edx
0059B3C5push 1_.0059B3DF
0059B3CAlea eax,dword ptr ss:
0059B3CDmov edx,8
0059B3D2call 1_.004049D4
0059B3D7retn
*****************************************进入call 0059B190*****************************************
0059B190push ebp
0059B191mov ebp,esp
0059B193xor ecx,ecx
0059B195push ecx
0059B196push ecx
0059B197push ecx
0059B198push ecx
0059B199push ebx
0059B19Amov ebx,eax
0059B19Cxor eax,eax
0059B19Epush ebp
0059B19Fpush 1_.0059B21C
0059B1A4push dword ptr fs:
0059B1A7mov dword ptr fs:,esp
0059B1AAlea eax,dword ptr ss:
0059B1ADpush eax
0059B1AElea eax,dword ptr ss:
0059B1B1call 1_.0059AECC
0059B1B6push dword ptr ss: ; 机器码
0059B1B9push 1_.0059B230 ; ASCII "QStudio Manager"
0059B1BEpush 1_.0059B248 ; ASCII "MG4"
0059B1C3push 1_.0059B254 ; ASCII "~!@#$%^&*()_+|"
0059B1C8lea eax,dword ptr ss:
0059B1CBmov edx,4
0059B1D0call 1_.00404D28
0059B1D5mov eax,dword ptr ss: ; 连接以上字符
0059B1D8lea edx,dword ptr ss:
0059B1DBcall 1_.0059A338 ; 标准MD5换算
0059B1E0mov eax,dword ptr ss: ; 结果回送到eax
0059B1E3mov ecx,9
0059B1E8mov edx,0C
0059B1EDcall 1_.00404EC0 ; 从12位开始取9位
0059B1F2mov ecx,dword ptr ss:
0059B1F5mov eax,ebx
0059B1F7mov edx,1_.0059B248 ; ASCII "MG4"
0059B1FCcall 1_.00404CB4 ; 和MG4连接上就OK!
0059B201xor eax,eax
0059B203pop edx
0059B204pop ecx
0059B205pop ecx
0059B206mov dword ptr fs:,edx
0059B209push 1_.0059B223
0059B20Elea eax,dword ptr ss:
0059B211mov edx,4
0059B216call 1_.004049D4
0059B21Bretn
【算法总结】
1.机器码+QStudio Manager+MG4+~!@#$%^&*()_+| 注意:"+"是连接符
2.将上面组成的字符串做标准MD5运算
3.从MD5运算结果的12位开始取9位
4.前面加上MG4就是注册码了
附:注册信息保存在:HKEY_LOCAL_MACHINE\SOFTWARE\QStudio\manager 删除又可继续研究
【算法注册机】
VB注册源码:
Private Sub Command1_Click()
Dim a, B, C, D, code, tzm, reg As String
a = "QStudio Manager"
B = "MG4"
C = "~!@#$%^&*()_+|"
D = "MG4"
code = Text1.Text
Set c1 = New Class1 '调用MD5模块:先将字符串转换成 MD5密钥,等待下步运算
tzm = c1.Md5_String_Calc(code & a & B & C)
reg = Mid(tzm, 12, 9)
Text2 = D & reg
End Sub
***********************************************MD5类模块***************************************************
Option Explicit
' Visual Basic MD5 Implementation
' Robert Hubley and David Midkiff ([email protected])
' modify by simonyan, Support chinese
' Standard MD5 implementation optimised for the Visual Basic environment.
' Conforms to all standards and can be used in digital signature or password
' protection related schemes.
Private Const OFFSET_4 = 4294967296#
Private Const MAXINT_4 = 2147483647
Private State(4) As Long
Private ByteCounter As Long
Private ByteBuffer(63) As Byte
Private Const S11 = 7
Private Const S12 = 12
Private Const S13 = 17
Private Const S14 = 22
Private Const S21 = 5
Private Const S22 = 9
Private Const S23 = 14
Private Const S24 = 20
Private Const S31 = 4
Private Const S32 = 11
Private Const S33 = 16
Private Const S34 = 23
Private Const S41 = 6
Private Const S42 = 10
Private Const S43 = 15
Private Const S44 = 21
Property Get RegisterA() As String
RegisterA = State(1)
End Property
Property Get RegisterB() As String
RegisterB = State(2)
End Property
Property Get RegisterC() As String
RegisterC = State(3)
End Property
Property Get RegisterD() As String
RegisterD = State(4)
End Property
Public Function Md5_String_Calc(SourceString As String) As String
MD5Init
MD5Update LenB(StrConv(SourceString, vbFromUnicode)), StringToArray(SourceString)
MD5Final
Md5_String_Calc = GetValues
End Function
Public Function Md5_File_Calc(InFile As String) As String
GoSub begin
begin:
Dim FileO As Integer
FileO = FreeFile
Call FileLen(InFile)
Open InFile For Binary Access Read As #FileO
MD5Init
Do While Not EOF(FileO)
Get #FileO, , ByteBuffer
If Loc(FileO) < LOF(FileO) Then
ByteCounter = ByteCounter + 64
MD5Transform ByteBuffer
End If
Loop
ByteCounter = ByteCounter + (LOF(FileO) Mod 64)
Close #FileO
MD5Final
Md5_File_Calc = GetValues
End Function
Private Function StringToArray(InString As String) As Byte()
Dim I As Integer, bytBuffer() As Byte
ReDim bytBuffer(LenB(StrConv(InString, vbFromUnicode)))
bytBuffer = StrConv(InString, vbFromUnicode)
StringToArray = bytBuffer
End Function
Public Function GetValues() As String
GetValues = LongToString(State(1)) & LongToString(State(2)) & LongToString(State(3)) & LongToString(State(4))
End Function
Private Function LongToString(Num As Long) As String
Dim a As Byte, B As Byte, C As Byte, D As Byte
a = Num And &HFF&
If a < 16 Then LongToString = "0" & Hex(a) Else LongToString = Hex(a)
B = (Num And &HFF00&) \ 256
If B < 16 Then LongToString = LongToString & "0" & Hex(B) Else LongToString = LongToString & Hex(B)
C = (Num And &HFF0000) \ 65536
If C < 16 Then LongToString = LongToString & "0" & Hex(C) Else LongToString = LongToString & Hex(C)
If Num < 0 Then D = ((Num And &H7F000000) \ 16777216) Or &H80& Else D = (Num And &HFF000000) \ 16777216
If D < 16 Then LongToString = LongToString & "0" & Hex(D) Else LongToString = LongToString & Hex(D)
End Function
Public Sub MD5Init()
ByteCounter = 0
State(1) = UnsignedToLong(1732584193#)
State(2) = UnsignedToLong(4023233417#)
State(3) = UnsignedToLong(2562383102#)
State(4) = UnsignedToLong(271733878#)
End Sub
Public Sub MD5Final()
Dim dblBits As Double, padding(72) As Byte, lngBytesBuffered As Long
padding(0) = &H80
dblBits = ByteCounter * 8
lngBytesBuffered = ByteCounter Mod 64
If lngBytesBuffered <= 56 Then MD5Update 56 - lngBytesBuffered, padding Else MD5Update 120 - ByteCounter, padding
padding(0) = UnsignedToLong(dblBits) And &HFF&
padding(1) = UnsignedToLong(dblBits) \ 256 And &HFF&
padding(2) = UnsignedToLong(dblBits) \ 65536 And &HFF&
padding(3) = UnsignedToLong(dblBits) \ 16777216 And &HFF&
padding(4) = 0
padding(5) = 0
padding(6) = 0
padding(7) = 0
MD5Update 8, padding
End Sub
Public Sub MD5Update(InputLen As Long, InputBuffer() As Byte)
Dim II As Integer, I As Integer, J As Integer, K As Integer, lngBufferedBytes As Long, lngBufferRemaining As Long, lngRem As Long
lngBufferedBytes = ByteCounter Mod 64
lngBufferRemaining = 64 - lngBufferedBytes
ByteCounter = ByteCounter + InputLen
If InputLen >= lngBufferRemaining Then
For II = 0 To lngBufferRemaining - 1
ByteBuffer(lngBufferedBytes + II) = InputBuffer(II)
Next II
MD5Transform ByteBuffer
lngRem = (InputLen) Mod 64
For I = lngBufferRemaining To InputLen - II - lngRem Step 64
For J = 0 To 63
ByteBuffer(J) = InputBuffer(I + J)
Next J
MD5Transform ByteBuffer
Next I
lngBufferedBytes = 0
Else
I = 0
End If
For K = 0 To InputLen - I - 1
ByteBuffer(lngBufferedBytes + K) = InputBuffer(I + K)
Next K
End Sub
Private Sub MD5Transform(Buffer() As Byte)
Dim X(16) As Long, a As Long, B As Long, C As Long, D As Long
a = State(1)
B = State(2)
C = State(3)
D = State(4)
Decode 64, X, Buffer
FF a, B, C, D, X(0), S11, -680876936
FF D, a, B, C, X(1), S12, -389564586
FF C, D, a, B, X(2), S13, 606105819
FF B, C, D, a, X(3), S14, -1044525330
FF a, B, C, D, X(4), S11, -176418897
FF D, a, B, C, X(5), S12, 1200080426
FF C, D, a, B, X(6), S13, -1473231341
FF B, C, D, a, X(7), S14, -45705983
FF a, B, C, D, X(8), S11, 1770035416
FF D, a, B, C, X(9), S12, -1958414417
FF C, D, a, B, X(10), S13, -42063
FF B, C, D, a, X(11), S14, -1990404162
FF a, B, C, D, X(12), S11, 1804603682
FF D, a, B, C, X(13), S12, -40341101
FF C, D, a, B, X(14), S13, -1502002290
FF B, C, D, a, X(15), S14, 1236535329
GG a, B, C, D, X(1), S21, -165796510
GG D, a, B, C, X(6), S22, -1069501632
GG C, D, a, B, X(11), S23, 643717713
GG B, C, D, a, X(0), S24, -373897302
GG a, B, C, D, X(5), S21, -701558691
GG D, a, B, C, X(10), S22, 38016083
GG C, D, a, B, X(15), S23, -660478335
GG B, C, D, a, X(4), S24, -405537848
GG a, B, C, D, X(9), S21, 568446438
GG D, a, B, C, X(14), S22, -1019803690
GG C, D, a, B, X(3), S23, -187363961
GG B, C, D, a, X(8), S24, 1163531501
GG a, B, C, D, X(13), S21, -1444681467
GG D, a, B, C, X(2), S22, -51403784
GG C, D, a, B, X(7), S23, 1735328473
GG B, C, D, a, X(12), S24, -1926607734
HH a, B, C, D, X(5), S31, -378558
HH D, a, B, C, X(8), S32, -2022574463
HH C, D, a, B, X(11), S33, 1839030562
HH B, C, D, a, X(14), S34, -35309556
HH a, B, C, D, X(1), S31, -1530992060
HH D, a, B, C, X(4), S32, 1272893353
HH C, D, a, B, X(7), S33, -155497632
HH B, C, D, a, X(10), S34, -1094730640
HH a, B, C, D, X(13), S31, 681279174
HH D, a, B, C, X(0), S32, -358537222
HH C, D, a, B, X(3), S33, -722521979
HH B, C, D, a, X(6), S34, 76029189
HH a, B, C, D, X(9), S31, -640364487
HH D, a, B, C, X(12), S32, -421815835
HH C, D, a, B, X(15), S33, 530742520
HH B, C, D, a, X(2), S34, -995338651
II a, B, C, D, X(0), S41, -198630844
II D, a, B, C, X(7), S42, 1126891415
II C, D, a, B, X(14), S43, -1416354905
II B, C, D, a, X(5), S44, -57434055
II a, B, C, D, X(12), S41, 1700485571
II D, a, B, C, X(3), S42, -1894986606
II C, D, a, B, X(10), S43, -1051523
II B, C, D, a, X(1), S44, -2054922799
II a, B, C, D, X(8), S41, 1873313359
II D, a, B, C, X(15), S42, -30611744
II C, D, a, B, X(6), S43, -1560198380
II B, C, D, a, X(13), S44, 1309151649
II a, B, C, D, X(4), S41, -145523070
II D, a, B, C, X(11), S42, -1120210379
II C, D, a, B, X(2), S43, 718787259
II B, C, D, a, X(9), S44, -343485551
State(1) = LongOverflowAdd(State(1), a)
State(2) = LongOverflowAdd(State(2), B)
State(3) = LongOverflowAdd(State(3), C)
State(4) = LongOverflowAdd(State(4), D)
End Sub
Private Sub Decode(Length As Integer, OutputBuffer() As Long, InputBuffer() As Byte)
Dim intDblIndex As Integer, intByteIndex As Integer, dblSum As Double
For intByteIndex = 0 To Length - 1 Step 4
dblSum = InputBuffer(intByteIndex) + InputBuffer(intByteIndex + 1) * 256# + InputBuffer(intByteIndex + 2) * 65536# + InputBuffer(intByteIndex + 3) * 16777216#
OutputBuffer(intDblIndex) = UnsignedToLong(dblSum)
intDblIndex = intDblIndex + 1
Next intByteIndex
End Sub
Private Function FF(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, (B And C) Or (Not (B) And D), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function GG(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, (B And D) Or (C And Not (D)), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function HH(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, B Xor C Xor D, X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function II(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, C Xor (B Or Not (D)), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Function LongLeftRotate(value As Long, Bits As Long) As Long
Dim lngSign As Long, lngI As Long
Bits = Bits Mod 32
If Bits = 0 Then LongLeftRotate = value: Exit Function
For lngI = 1 To Bits
lngSign = value And &HC0000000
value = (value And &H3FFFFFFF) * 2
value = value Or ((lngSign < 0) And 1) Or (CBool(lngSign And &H40000000) And &H80000000)
Next
LongLeftRotate = value
End Function
Private Function LongOverflowAdd(Val1 As Long, Val2 As Long) As Long
Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long
lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&)
lngOverflow = lngLowWord \ 65536
lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
LongOverflowAdd = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
End Function
Private Function LongOverflowAdd4(Val1 As Long, Val2 As Long, val3 As Long, val4 As Long) As Long
Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long
lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&) + (val3 And &HFFFF&) + (val4 And &HFFFF&)
lngOverflow = lngLowWord \ 65536
lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + ((val3 And &HFFFF0000) \ 65536) + ((val4 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
LongOverflowAdd4 = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
End Function
Private Function UnsignedToLong(value As Double) As Long
If value < 0 Or value >= OFFSET_4 Then Error 6
If value <= MAXINT_4 Then UnsignedToLong = value Else UnsignedToLong = value - OFFSET_4
End Function
Private Function LongToUnsigned(value As Long) As Double
If value < 0 Then LongToUnsigned = value + OFFSET_4 Else LongToUnsigned = value
End Function
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 学习,哪里能够找到MD5源码! Originally posted by 546m at 2005-9-2 01:24 PM:
学习,哪里能够找到MD5源码!
网上有MD5模块下载! 受教,谢谢 刚来就学了不少好东西 好多谢!支持!!! 视频下不了 MD5 (矛盾5)看得头都晕! 学习
斑竹的帖子好
页:
[1]
2